VDB
JLSEC-2026-67
JLSEC-2026-67
PUBLISHED
ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9.
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Julia | OpenSSH_jll | 8.9.0+0, 8.9.0+0 |
Timeline
- Apr 9, 2026 CVE Published
- Apr 9, 2026 CVE Updated
- May 1, 2026 Distribution Patch
References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AN2UDTXEUSKFIOIYMV6JNI5VSBMYZOFT/ url
- https://security.gentoo.org/glsa/202307-01 url
- https://security.netapp.com/advisory/ntap-20230413-0008/ url
- https://www.debian.org/security/2023/dsa-5586 url
- https://www.openwall.com/lists/oss-security/2023/03/15/8 url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AN2UDTXEUSKFIOIYMV6JNI5VSBMYZOFT/ url